Why U.S. Regulators Should Heed the Lessons Learned From the Muddled GDPR Rollout

Lawmakers should consider the needs of smaller ad-tech outfits and consumers

Let's hope U.S. lawmakers draft regulations that consider the needs of smaller companies. Getty Images
Headshot of Ronan Shields

Last week the Los Angeles Attorney General filed a lawsuit alleging that IBM-owned The Weather Channel app deceptively ‘collected, shared and profited’ from the data of millions of unwitting Americans via the location tracking capabilities of its mobile service.

In their filing, prosecutors allege the business was not transparent in its communications over how it uses data collected via the app, i.e., shared with location-based outfits for advertising among other pursuits.

Per Los Angeles Attorney General Michael N. Feuer, users of the app need to be fully informed over how their data–or movements–will be monetized and alleged that such incomplete communications violate California’s Unfair Competition Law. An IBM spokesman defended the company and told The New York Times it has been fully compliant in its communication with consumers via the app, the case continues.

As noted in a previous contributed piece, such regulations try to usher in consent, or rather informed consent, as a core mechanism between online service providers and the public. And such a philosophy is an ethically sound basis for interactions between private enterprises and the public.

Similarities with GDPR

The sentiments expressed in Feuer’s assertions are reminiscent of the tenets of the European Union’s General Data Privacy Protection Regulations (GDPR), which were enforceable since May 25, 2018. This was much to the chagrin of the digital media sector there, as many globally recognized names in the online media industry pulled out of the EU ahead of the law going live.

I draw this analogy not least because of the impending consumer privacy laws in California set for enforcement in 2020, but also as a nod to the (anticipated) equivalent U.S. federal privacy laws that are expected to follow in the near-to-mid future.

However, just as lawmakers expect private companies to speak openly with a coherent message to the public, those in charge of drafting and enforcing such legislation need to do likewise and ultimately this is where the powers behind GDPR have fallen far short of their original intentions.

There is a widely held perception in the industry that GDPR was initially conceptualized and implemented by EU politicians as part of their ongoing efforts to rein in the power of Silicon Valley’s most significant names–as well as promote consumer privacy–and better promote market diversity.

However, while Facebook and Google have already faced legal complaints under these regulations, it appears that GDPR has somewhat inadvertently led to a scenario whereby the titans of Silicon Valley have benefited from its enforcement while smaller companies in the space have lost market share.

‘Regressive effects on competition’?

Anecdotal testimony of the downturn experienced by ‘independent ad tech’ in EU markets since May 25 is easy to come by when speaking to sources there. One source I spoke to in the immediate aftermath of the enactment of GDPR noted how media agencies were adopting an ultra-cautious approach. “At the end of the day, if you’re not Google or Facebook, you’re unlikely to be on our plans in a big way during the second half of 2018,” he said, recounting several prior conversations he’d had with major network agencies.

Additionally, a comparison study by Cliqz on the number of active trackers on EU websites (let’s consider this a proxy for market share) pre- and post-GDPR enforcement demonstrates the disparity of fortunes in the market (see chart below).


The same report notes that there has been an overall reduction in the number of trackers on EU websites (a win in the consumer privacy crusade), but the divergent fortunes of ad-tech players in the market is undoubtedly an unintended consequence.

According to the study, dubbed Who Tracks Me?, since April 2018 the average number of trackers per page in the EU has dropped by almost 4 percent–this is in addition to outfits such as Drawbridge, Kargo and Verve pulling out of the EU members states in the first half of 2018.

“We measure that GDPR may have had regressive effects on competition in the online advertising space in Europe,” reads the Cliqz report.

Dysfunctional ambiguity

At the core of the unease ushered in by GDPR is the subject of whether or not ad-tech players have user consent–be this in the form of an explicit green light from consumers or by way of “legitimate interest” passed on by a third party–plus just whom is a “data owner” and whom is a “data processor”, among other bones of content, and since May 25 confusion has reigned supreme in the market.

The IAB has attempted to broker agreement on just what constitutes consent and how can it reasonably be passed along the ad-tech supply-chain but differing interpretations have meant that Google has yet to put its name to the trade body’s framework, although it has claimed it will sign up to it. Additionally, sources I have spoken with assert that the second version of the IAB Consent Framework, now expected in the second half of 2019, has been delayed over requests from publishers for better provisions on how they can manage which consent signals are passed along to specific ad-tech partners.

Meanwhile, as ambiguity over the wording of GDPR continues to cause dysfunction in the market, advertisers are opting to channel their spend towards the walled gardens of the industry’s largest names. The concentration of ad spend is due to the consumer-facing aspects of walled gardens, making it easier for them to gain explicit user consent, not to mention their vast financial resources to hire lawyers that can construct legal defenses. Thus marketers have one less problem to worry about (in theory) and we find ourselves in a scenario where the right get richer.

All of this comes at the cost of independent ad tech, not to mention the premium publishers they work with, and market plurality has suffered as a result of the lack of clarity from the powers that be over this European legislation in my opinion.

Most sources I speak to maintain that the only parties to have substantially benefited from GDPR have been the lawyers paid to interpret them, with few parties the wiser for all of this expense, and that all of this could have been avoided with greater prescience along with clearer guidance.

U.S. lawmakers, either at state or federal level, it follows, need to consider such regulations when drafting legislation with wording that benefits both consumers and industry alike, not just the lawyers.

@ronan_shields ronan.shields@adweek.com Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.
Publish date: January 8, 2019 https://dev.adweek.com/programmatic/why-u-s-regulators-should-heed-the-lessons-learned-from-the-muddled-gdpr-rollout/ © 2020 Adweek, LLC. - All Rights Reserved and NOT FOR REPRINT